{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5442", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T19:22:48.196Z", "datePublished": "2026-04-09T14:43:43.571Z", "dateUpdated": "2026-04-14T16:34:39.322Z"}, "containers": {"cna": {"title": "Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions", "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.10", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5442"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:43:43.571Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:12:07.779154Z", "id": "CVE-2026-5442", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:34:39.322Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5442", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:12:07.779154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:12:01.918Z"}}], "cna": {"title": "Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.12.10"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5442"}, "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:43:43.571Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5442", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:34:39.322Z", "dateReserved": "2026-04-02T19:22:48.196Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-09T14:43:43.571Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F", "versionEndExcluding": "1.12.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."}], "id": "CVE-2026-5442", "lastModified": "2026-04-14T20:19:46.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T15:16:16.543", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://kb.cert.org/vuls/id/536588"}, {"source": "cret@cert.org", "tags": ["Not Applicable"], "url": "https://www.machinespirits.de/"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://www.orthanc-server.com/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DICOM Server", "source": "cna", "vendor": "Orthanc"}, "product": "dicom_server", "vendor": "orthanc"}], "analysis": {"en": {"generated_at": "2026-04-15T22:34:44.715759+00:00", "value": {"mitigation_remediation": ["Update Orthanc to the latest release that contains the decoder fix. Consult Orthanc documentation for patch details.", "Restrict network access to the DICOM server so that only trusted hosts can send DICOM files.", "Enable detailed logging of decoding failures and monitor for anomalous DICOM traffic."], "summary": {"action": "Immediate Patch", "impact": "Out-of-Bounds Memory Access"}, "threat_synthesis": {"affected_systems": "Any deployed instance of Orthanc DICOM Server that uses the described decoder logic is potentially vulnerable. The CNA does not list specific product versions or releases, so administrators should verify the version and check the change log or source code for the decoder component to assess exposure.", "description_and_impact": "The Orthanc DICOM Server contains a heap buffer overflow in its image decoder. The decoder mistakenly accepts dimension fields encoded as Unsigned Long instead of Unsigned Short, allowing a malicious DICOM file to specify dimensions that overflow an integer used in frame size computation. The resulting integer overflow causes an out-of-bounds memory write during decoding, which can corrupt memory and potentially crash the server or, if attacker-controlled data is correctly positioned, lead to code execution. The vulnerability details only confirm memory corruption, and the possibility of arbitrary code execution is inferred and not definitively proven by the CVE description.", "risk_and_exploitability": "With a CVSS score of 9.8 the technical impact is severe, yet the EPSS score is less than 1\u202f% indicating that exploitation is currently rare. The risk is further mitigated by the fact that the vulnerability is not included in the CISA KEV catalog. The likely attack vector is remote: an adversary can deliver a malicious DICOM file to the server over a network connection. If this flaw is exploited, the server may crash or potentially be taken over, compromising the integrity and availability of patient data."}}}}, "created": "2026-04-10T08:53:25.652214+00:00", "updated": "2026-04-15T22:45:16.433382+00:00", "vendors": ["orthanc", "orthanc$PRODUCT$dicom_server"]}